Technology Use Policy
Classification number | LCG 1109 |
---|---|
Framework category | Legal, Compliance and Governance |
Approving authority | Board of Governors |
Policy owner | Vice-President, Academic and Provost |
Approval date | April 23, 2020 |
Review date | March 2023 |
Supersedes | Policy on Acceptable Use of Information Technology, March 2006; May 2012; Editorial Amendments, February 18, 2020 |
Purpose
-
The University owns, maintains and manages Information Technology (IT) resources to support the educational, instructional, research and administrative activities of the University.
-
While University Members are free to use these valuable resources in pursuit of their individual and collective academic and administrative goals, it is equally important that safeguards are in place to ensure that the information, equipment and networks remain compliant, reliable, robust and secure.
-
This Policy sets out the acceptable and responsible use of IT Resources in a manner that is consistent with the University’s values of integrity and responsibility, honesty and accountability, and intellectual rigour.
-
Before University Members can access or use the University’s IT Resources, University Members must:
- review this Policy or a terms of use that fully complies with this policy, as well as other policies applicable to the type of user; and
- accept the University’s terms and conditions of use.
Definitions
-
For the purposes of this Policy the following definitions apply:
“Electronically-Stored Information” means University Members’ personal electronic information, other than a University Record, that is created and communicated in digital form and which is accessible through IT Resources.
“Information Asset” means a fixed unit of information recorded by electronic means that is considered a University Record under the Records Management Policy.
“Guest” means any individual that is not a volunteer, Employee, or Student who uses or attempts to use IT Resources. A Guest who accepts the University’s terms and conditions of use is considered a University Member under this policy.
“IT Resources” are information technology resources provided by the University, whether on premises or hosted remotely. IT Resources include but are not limited to:
- networks, including wireless access services, wired networks, switching and routing, load balancers, firewalls, telecom equipment and cables, PBX and other network-related devices, equipment and services;
- servers;
- databases;
- business systems;
- student systems;
- learning management systems;
- websites;
- computers and computer systems, laptops, workstations, computer labs, mobile devices, including telephones, storage devices; and
- online collaborative tools including email, and social media sites (e.g., the University’s Twitter, Facebook and YouTube accounts).
“University Member” means any individual who is:
- Employed by the University (“Employee”);
- Registered as a student, in accordance with the academic regulations of the University (“Student”);
- Holding an appointment with the University, including paid, unpaid and/or honorific appointments; and/or
- Otherwise subject to University policies by virtue of the requirements of a specific policy (e.g. Booking and Use of University Space) and/or the terms of an agreement or contract.
Scope and Authority
- This Policy applies to all University Members’ use of IT Resources and all IT Resources. The use of personally-owned equipment that involves the use of IT Resources is also covered by this Policy.
- The University is fully committed to promoting and advocating academic freedom. This policy does not limit academic freedom.
- This Policy does not affect the rights of University Members to their intellectual property stored or transmitted using IT Resources. Intellectual property rights are governed by the University’s Intellectual Property Policy.
- The Provost and Vice-President, Academic or successor thereof, is the Policy Owner and is responsible for overseeing the implementation, administration and interpretation of this Policy.
Policy
-
Authorized Use
- University Members will:
- Use IT Resources for which the University has given express authorization only for intended purpose(s);
- Take all reasonable steps to avoid compromising the confidentiality, integrity, and availability of IT Resources;
- Abide by applicable laws and regulations;
- Abide by applicable University policies, and;
- Respect the rights and privacy of other University Members and those outside of the University community.
- University Members who fail to comply with this Policy will be subject to one or more of the consequences listed in Section 15.
- The University reserves the right to limit or restrict a University Member’s access to IT Resources based on:
- institutional priorities;
- financial considerations;
- one or more violations of this Policy or other University policies;
- contractual agreements; or
- provincial or federal laws.
- University Members will:
-
Reporting
- University Members are responsible for guarding against misuse or abuse of IT Resources.
- University Members will promptly report any known or suspected misuse of IT Resources or violation of this Policy to the Office of the Executive Director, IT Services.
-
Specific Violations
- Unauthorized Use. Violations of Section 10.1.a) include, but are not limited to:
- using IT Resources without specific authorization where specific authorization is required;
- using another person’s electronic identity, password or log-in credentials for IT Resources;
- accessing files, data or processes without authorization;
- using IT Resources to hide a persons’ actual identity;
- using IT Resources to interfere with other systems or persons;
- using IT Resources to harass or stalk another person or entity;
- sending threats, “hoax” messages, chain letters, or phishing;
- intercepting, monitoring, or retrieving any network communication without authorization; or
- circumventing or attempting to circumvent security mechanisms.
- Breach of Confidentiality, Integrity and Availability of IT Resources. Violations of Section 10.1.b) include, but are not limited to:
- obtaining or using someone else’s password or other authentication credentials for IT Resources;
- disclosing a personal password or other authentication credentials for IT Resources;
- permitting another User to access or use their account(s) provided by the University;
- propagating computer viruses, worms, Trojan Horses, malware or any other malicious code;
- preventing others from accessing an authorized service;
- spreading material that supports bulk mail, junk mail, or spamming;
- degrading or attempting to degrade performance or deny service; or
- corrupting, altering, destroying, or misusing data or information.
- Unlawful Use. Violations of Section 10.1.c) include, but are not limited to, using or attempting to use IT Resources to:
- pirate software;
- access material that is illegal, or that advocates or facilitates illegal acts;
- download, install, use, stream, or distribute unlawfully or illegally obtained media (e.g., software, music, movies);
- override, remove or pause any security software installed on IT Resources by the University or at its direction;
- access technology that is considered a controlled good under federal law on an unencrypted connection;
- commit criminal harassment, hate crimes, or libel and defamation;
- commit theft or fraud; or
- violate child pornography criminal laws.
- Breach of University policies. Violations of Section 10.1.d) include, but are not limited to, using or attempting to use IT Resources to:
- engage in academic dishonesty or plagiarism;
- engage in discrimination and harassment, including making threats, stalking, or distributing malicious material; or
- direct others to breach any provision of this policy.
- Breach of Privacy. Violations of Section 10.1.e) include, but are not limited to:
- accessing, attempting to access, or copying another person’s Electronically-Stored Information without authorization; or:
- divulging sensitive personal data to which certain University Members have access concerning faculty, staff, or Students without a valid and lawful administrative or academic reason.
- Unauthorized Use. Violations of Section 10.1.a) include, but are not limited to:
-
Limitations on Personal Use by Employees
- Employees are permitted to use IT Resources for occasional and limited personal use and consistently with this Policy and the Personal use of University Resources Policy.
- The viewing or distribution of harassing, defamatory, discriminatory, pornographic or hateful material and messages by Employees using IT Resources is prohibited, unless such prohibition infringes upon academic freedom.
-
Investigation
- Reports of conduct by Employees in contravention of this Policy will be addressed by the following means:
- Harassment, violence or discrimination will be investigated under the Policy Against Harassment, Violence and Discrimination in the Workplace, and in accordance with any applicable collective agreements.
- Other violations can be addressed under the Code of Ethical Conduct Policy.
- Reports of conduct constituting Sexual Violence by or against a student will be subject to investigation and sanctions under the Student Sexual Violence Policy.
- Reports of conduct by Students in contravention of this Policy will be subject to investigation and sanctions under the Student Conduct Policy or Academic Integrity Policy, as applicable.
- Reports of conduct constituting Harassment or discrimination not subject to another policy will be investigated under the Harassment and Discrimination Policy.
- Reports of conduct by University Members other than Employees or Students in contravention of this Policy not addressed by another policy will be addressed by the Executive Director, IT Services, in consultation with the General Counsel.
- Reports of conduct by Employees in contravention of this Policy will be addressed by the following means:
-
Consequences
- Users who violate this Policy or any other University policy may be subject to disciplinary action in accordance with a collective agreement, if applicable, up to and including, but not limited to:
- suspension of access to some or all IT Resources;
- student expulsion from the University;
- discipline and termination of employment; and/or
- legal action.
- Users who violate this Policy or any other University policy may be subject to disciplinary action in accordance with a collective agreement, if applicable, up to and including, but not limited to:
-
Privacy
- The University respects University Members’ reasonable privacy expectations but University Members will not have an expectation of complete privacy when using the University’s IT Resources.
- University Members’ privacy rights may be superseded by the University’s right to protect:
- the integrity of its IT Resources;
- the rights of other University Members or Guests; or
- the University’s property.
- The University reserves the right to monitor and log usage of its IT Resources.
- The University also reserves the right to examine and preserve material stored on or transmitted through its IT Resources at its sole discretion. Examples of situations where the University may exercise this right include but are not limited to situations where the University suspects:
- this Policy has been violated;
- any other University policy has been violated;
- any federal or provincial law has been violated; or
- examination is necessary to protect the integrity of its resources.
- The University will not normally access a University Member’s Electronically-Stored Information without consent except for certain limited and specific circumstances, including but not limited to:
- investigations regarding security, illegal activity, or activity that may contravene the University's Policies and Procedures;
- compassionate circumstances, as permitted by law;
- where necessary to carry out urgent operational requirements during an employee’s absence when alternative arrangements have not been made; and
- compliance with law or legal obligations.
Note: The University will exercise these access rights only if administrative approvals have been granted by the Chief Privacy Officer.
- Authorized University Employees or service providers under contract with the University, who operate and support IT Resources, may access Electronically-Stored Information without notice to University Members in order:
- to address emergency problems;
- to perform routine system maintenance; or
- for any other purpose required to maintain the integrity, security and availability of the IT Resources.
- In the process of monitoring IT Resources, the University will:
- use all reasonable efforts to limit access to University Members’ Electronically-Stored Information; and
- not disclose or otherwise use any University Members’ Electronically-Stored Information that has been accessed, except in accordance with the applicable University policies, procedures and guidelines, and as permitted or required by law.
- If the University is required to disclose a University Member’s Electronically-Stored Information, in accordance with the law, such disclosure will be reviewed and approved by the Chief Privacy Officer, prior to the release of the Electronically-Stored Information.
-
Information Assets
- Employees who have deleted files from one IT Resource, such as a computer hard drive are responsible for managing copies that may continue to exist in or on other IT Resources, such as shared drives. Employees are responsible for ensuring file management and disposition of Information Assets in accordance with the Records Management Policy, Records Classification and Retention Schedule, and Records Disposition Procedures.
- Information Assets created or received outside of IT Resources, such as on a personal smartphone or computer must be stored on approved IT Resources as soon as possible to ensure continuity during an Employee’s absence.
Monitoring and Review
-
This Policy will be reviewed as necessary and at least every three years. The Executive Director, Information Technology Services, or successor thereof, is responsible to monitor and review this Policy.
Relevant Legislation
-
Freedom of Information and Protection of Privacy Act, RSO 1990, c F.31
Canada’s Anti-Spam Legislation (An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23)
Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5
Defence Production Act (R.S.C., 1985, c. D-1)
Export and Import Permits Act (R.S.C., 1985, c. E-19)
Related Policies, Procedures & Documents
-
Information Security Policy
PCI Sustainability Policy
Records Management Policy
Records Retention and Classification Schedule
Records Disposition Procedures
Access to Information and the Protection of Privacy Policy
Personal Use of University Resources Policy
Student Conduct Policy
Academic Integrity Policy
Policy Against Violence, Harassment and Discrimination in the Workplace
Harassment and Discrimination Policy
Student Sexual Violence Policy and Procedures
Controlled Goods Policy (in development)